Skip to content

Instantly share code, notes, and snippets.

View 0xcpu's full-sized avatar
💭
I do nothing every day

panda bear 0xcpu

💭
I do nothing every day
267 followers · 86 following
View GitHub Profile
@0xcpu
0xcpu / Get-InjectedThread.ps1
Created June 14, 2017 08:15 — forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@0xcpu
0xcpu / license_check.md
Last active March 11, 2018 12:28
EasyCTF IV

You should definitely check AdrenSys writeup as it covers details about the challenge and the binary, I don't want to repeat what is already done. (Thank you for a great writeup!)

What I would like to add is how I solved this challenge, in a slightly different way, without involving Z3(although it's a great tool, and you should try it :) ).

The key idea is that all 4 parts of the license key must not be equal to 0, but we know that (email_checksum ^ license_checksum ^ 0xaecbcc2) == 0.

The email checksum is 0xaed12f1, so the license_checksum should be 0x01ae33. Keeping in mind that all 4 parts of the license key should not be equal to 0, we can create a license key with 3 parts having value 1 and the 4th part having value 0x42b0.

@0xcpu
0xcpu / templite.py.patch
Created October 10, 2018 18:43
templite.py python3 patch
32c32
<
---
>
69c69
<
---
>
112,113c112,113
< if isinstance(value, unicode):
@0xcpu
0xcpu / elementary.md
Created March 17, 2019 13:25
Elementary(rev, warmup) - Confidence 2019

Search in IDA for mov eax, 0 and exclude from results those occuring in main function. (Let's save all this in a file named step1)

Then filter the information from step1 to extract only addresses, For example, using this command:

awk '{ print $1 }' step1 | cut -d':' -f2 > avoid_addr

Then use angr script to find a solution.

import angr
@0xcpu
0xcpu / StreamNotes_04212020.md
Created April 29, 2020 14:02 — forked from mattifestation/StreamNotes_04212020.md
Twitch Stream Notes 04/21/2020 - Obfuscated Script-based Malware Analysis with the Anti-Malware Scan Interface (AMSI)
@0xcpu
0xcpu / snake_str_dec.py
Last active June 12, 2020 06:03
IDAPython 3 Snake ransomware string decryption
# IDAPython 3
import ida_funcs
import idautils
import ida_ua
import ida_xref
import ida_bytes
import heapq
from collections import defaultdict
from ctypes import c_ubyte
@0xcpu
0xcpu / EndpointSecurityDemo.m
Created May 18, 2022 12:46 — forked from Omar-Ikram/EndpointSecurityDemo.m
A demo of using Apple's EndpointSecurity framework - tested on macOS Monterey 12.2.1 (21D62)
//
// main.m
// EndpointSecurityDemo
//
// Created by Omar Ikram on 17/06/2019 - macOS Catalina 10.15 Beta 1 (19A471t)
// Updated by Omar Ikram on 15/08/2019 - macOS Catalina 10.15 Beta 5 (19A526h)
// Updated by Omar Ikram on 01/12/2019 - macOS Catalina 10.15 (19A583)
// Updated by Omar Ikram on 31/01/2021 - macOS Big Sur 11.1 (20C69)
// Updated by Omar Ikram on 07/05/2021 - macOS Big Sur 11.3.1 (20E241)
// Updated by Omar Ikram on 04/07/2021 - macOS Monterey 12 Beta 2 (21A5268h)